California is hoping to become the first state in the nation to earn a major federal security certification for its cloud computing services.
The state’s Department of Technology has applied for certification with the General Services Administration’s Federal Risk and Authorization Management Program — known as FedRAMP — for its CalCloud service. CIO Carlos Ramos first revealed the move at a California State Assembly committee hearing earlier this month, but Teala Schaff, a spokeswoman for the department, told StateScoop they formally applied last October.
“Providing our customers with a secure platform was the overarching motivation” for the move, Schaff said, as “compliance with FedRAMP would minimize the risk to state data and California constituent information.” However, the move would also allow federal agencies operating in the state to start buying the service, joining the 60 state agencies currently customers of CalCloud.
“What I see is, down the road, I think we’re going to see more and more agencies starting to move into cloud computing,” Ramos said at the hearing. “And, specifically, leveraging the services portfolio that we’ve developed.”
Ramos noted that his department has taken a “layered approach to information security” for CalCloud, and the service is already compliant with the FBI’s Criminal Justice Information Services standard and meets the benchmarks laid out in the Federal Information Security Management Act.
Yet, Chris Cruz, the department’s chief deputy director of operations, added that many state agencies looking for services with FedRAMP certification instead were frustrated by outside providers adding an “additional rate for FedRAMP adherence.”
Once the department can earn a green light from FedRAMP, Cruz thinks they can help agencies save money by avoiding those sorts of added costs.
“You’re getting the highest level security compliance within our cloud in terms of those rate structures while those other organizations may charge,” Cruz said.
However, the process of earning FedRAMP approval has been a tricky one for the state since they’re entering uncharted territory, Ramos said.
“The feds weren’t sure how to deal with us,” Ramos said. “They’re like, ‘We don’t normally do this.’”
Schaff said the department has heard from FedRAMP that the process “can take as long as 18 to 36 months” but also that the feds are “actively working on ways to streamline the certification process.” A GSA spokeswoman didn’t respond to multiple requests for comment about a timeline for the application’s review.
But Schaff noted that state regulations already require that CalCloud align with the controls laid out by the National Institute of Standards and Technology’s “Special Publication 800-53.” Since those standards inform FedRAMP’s requirements, Schaff believes that the department is already well positioned to be certified.
Complicating the matter are the major shakeups at the top of the IT department. Last week, Ramos announced that he’d be resigning at the end of March, while Chief Information Security Officer Michele Robinson stepped down March 8.
Amy Tong, chief deputy director of the Office of Systems Integration and agency information officer of the state’s Health and Human Services Agency, will be filling as interim CIO as the state searches for a permanent replacement, leaving it to her to continue to shepherd further development of CalCloud.
But even as the department waits for FedRAMP’s approval, Ramos foresees plenty for IT staff to work on with the service, as more agencies look to join up and other states and localities try to lead similar efforts.
“We’re seeing other state and local governments not only come to us and start to try [to] access our services, but many of them are starting to follow our example” as well, Ramos said.
“I’ve had folks reach out to me from the city of Seattle, from other states across the country, saying, ‘Hey how did you do that? We want to try to do this.’”
Contact the reporter who wrote this story at email@example.com, or follow him on Twitter at @AlexKomaSNG.